ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment ISO 9001 Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit ISO Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISMS documentation

    How do I construct an ISMS document and supporting documents?
    My management is not in agreement to do Business Impact Analysis Worksheet and Risk and opportunities Register to proceed.
    How can I convince them to do so?
    I need your continuous support in managing ISMS to achieve certification.

  • Template content - List of Legal, Regulatory Contractual requirements

    Now I have 2 questions if you could help me with these:

    If I choose to use: 02.1 Appendix 1 (List of Legal, Regulatory Contractual requirements) right at the start of the Project (because also Annex A 18.1.1. control is likely to be applicable), could you explain me:

    • 1. How detailed description should be used when documenting “legislative, regulative and contractual requirements”? I mean do you need to write down the Act of the suitable law and name every individual contract and its points (vendor name, contract point and description of the matter)?
    • 2. What does the standard mean to “identify and document organizations approach to these meet these requirements”?

  • Templates content

    Hi, which templates cover the following ISO 27001 clauses?

    A.8.3.1
    A.12.5.1
    A.12.6.1

  • Templates content - RTO and RPO

    Today we bought the toolkit BIA according to the  ISO 22301:2012 version of the standard. But, checking the document  I cannot identify the  (RTO and RPO)  values.
    These values are very important for us because our customer is requesting as a part of the BIA report.
    How can identify,  relating or include these values in the Excel questionnaire?

  • Templates and applicable controls

    I have downloaded the Files saved under my Project. I have a Question here. Since there are around 114 Controls listed in the ISO 27001 Manual, do we here have each Template for each Control or one Template can be used for the documentation of the multiple Controls. For e.g you find attached the A.8.2 Template for the Documentation and in the Documentation (IT Security Policy) the below text is mentioned. So the Question is whether is the attached Document only for A.8.2 Valid or it is valid for all the Controls mentioned in the below screenshot.

  • Corrective actions

    I do have one more question about best practices for ISO 27001 implementation regarding corrective actions.

    Let's assume the scenario:
     - We have implemented ISMS policy
     - During the internal audit, we have found out non-conformance to the policy in a specific area/control.
     
    We can take three decisions based on known risks:

    •  Register non-conformance and resolve it in short-term
    •  Register exception to policy for 6-12 months
    •  Modify policy since it was too strict

    The option to address it in short therm is always the best, but I want to find out the best practices for long-term solutions (option 2).

    Is it better to keep the non-conformance list or exception list and revalidate it every time?

  • SoA and supplier-related risks

    I have the following question:

    Company A rents virtual as well as complete servers from a hosting provider. On these severs a development company develops customized software for company A. The scope of the ISMS of company A covers the whole organization and therefore also the data and applications on the servers. Company A has no own software development.

    Question: Regarding 14.2.5, 14.2.6, 14.2.8, 14.2.9, can company A exclude these controls in the SoA and only apply 14.2.7, as the responsibility/risk is contractually transferred to the development company and company A does not have any own software development? The risk assessment has shown some risks with regard to the development process on the servers, but this has been treated by contractually transferring the liability to the solution provider and applying chapter 15 controls. Contractually the development company is responsible for maintaining the security of the servers. What would be the best approach here?

  • Scenario based risk assessment

    What is the key difference between a asset-threat-vulnerabilty assessment and a scenario based assessment?  Don't you end up pulling threats and vulns through into any scenarion by default?

  • Justifications in the SoA

    SoA > Can "Mandatory according to iSO27001 or GDPR" be a valid justification or does it have to be a specific risk?

  • Development Risk Assessment and Treatment Methodology

    Adquiri o modelo de metodologia de avaliaçaõ e tratamento de riscos, ao desenvolver o documento vocês citam algumas referências como:

    • Nome do cargo
    • Cargo

    Quem seriam essas pessoas???

    (I acquired the risk assessment and treatment methodology model when developing the document you cite some references as:

    • Job Name
    • Position

    Who would these people be?)
Page 210 of 544 pages